A framework for risk assessment in access control systems

Khambhammettu, Hemanth; Boulares, Sofiene; Adi, Kamel; Logrippo, Luigi

doi:10.1016/j.cose.2013.03.010

Cited by 39 publications

(22 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In addition, Khambhammettu et al [21] have suggested three different approaches to estimate security risks of access control operations using the risk assessment. These approaches use the subject trustworthiness, the object sensitivity, and the difference between them to estimate the risk value.…”

Section: Related Workmentioning

confidence: 99%

Fuzzy Logic with Expert Judgment to Implement an Adaptive Risk-Based Access Control Model for IoT

et al. 2019

View full text Add to dashboard Cite

The Internet of Things (IoT) is becoming the future of the Internet with a large number of connected devices that are predicted to reach about 50 billion by 2020. With proliferation of IoT devices and need to increase information sharing in IoT applications, risk-based access control model has become the best candidate for both academic and commercial organizations to address access control issues. This model carries out a security risk analysis on the access request by using IoT contextual information to provide access decisions dynamically. This model solves challenges related to flexibility and scalability of the IoT system. Therefore, we propose an adaptive risk-based access control model for the IoT. This model uses real-time contextual information associated with the requesting user to calculate the security risk regarding each access request. It uses user attributes while making the access request, action severity, resource sensitivity and user risk history as inputs to analyze and calculate the risk value to determine the access decision. To detect abnormal and malicious actions, smart contracts are used to track and monitor user activities during the access session to detect and prevent potential security violations. In addition, as the risk estimation process is the essential stage to build a risk-based model, this paper provides a discussion of common risk estimation methods and then proposes the fuzzy inference system with expert judgment as to be the optimal approach to handle risk estimation process of the proposed risk-based model in the IoT system.

show abstract

Section: Related Workmentioning

confidence: 99%

Fuzzy Logic with Expert Judgment to Implement an Adaptive Risk-Based Access Control Model for IoT

et al. 2019

View full text Add to dashboard Cite

show abstract

“…It is responsible for taking the input features and quantify the risk value associated with the access request. Determining the security risk associated with each access request is a complex task, which requires the consideration of a variety of factors [21]. However, the ultimate goal is to develop an efficient risk estimation process.…”

Section: Access Control Requirements In the Iotmentioning

confidence: 99%

“…Khambhammettu et al [21] have proposed a framework based on estimating object sensitivity, subject trustworthiness, and the difference between the object sensitivity and the subject trustworthiness using a risk assessment. However, this framework does not provide how to estimate the risk value for each situation of the environment.…”

Section: Related Workmentioning

confidence: 99%

Validation of an Adaptive Risk-based Access Control Model for the Internet of Things

Atlam¹,

Alenezi²,

Hussein³

et al. 2018

IJCNIS

View full text Add to dashboard Cite

Abstract-The Internet of Things (IoT) has spread into multiple dimensions that incorporate different physical and virtual things. These things are connected together using different communication technologies to provide unlimited services. These services help not only to improve the quality of our daily lives, but also to provide a communication platform for increasing object collaboration and information sharing. Like all new technologies, the IoT has many security challenges that stand as a barrier to the successful implementation of IoT applications. These challenges are more complicated due to the dynamic and heterogeneous nature of IoT systems. However, authentication and access control models can be used to address the security issue in the IoT. To increase information sharing and availability, the IoT requires a dynamic access control model that takes not only access policies but also real-time contextual information into account when making access decisions. One of the dynamic features is the security risk. This paper proposes an Adaptive Risk-Based Access Control (AdRBAC) model for the IoT and discusses its validation using expert reviews. The proposed AdRBAC model conducts a risk analysis to estimate the security risk value associated with each access request when making an access decision. This model has four inputs/risk factors: user context, resource sensitivity, action severity and risk history. These risk factors are used to estimate a risk value associated with the access request to make the access decision. To provide the adaptive features, smart contracts will be used to monitor the user behaviour during access sessions to detect any malicious actions from the granted users. To validate and refine the proposed model, twenty IoT security experts from inside and outside the UK were interviewed. The experts have suggested valuable information that will help to specify the appropriate risk factors and risk estimation technique for implantation of the AdRBAC model.

show abstract

“…Moreover, risk management principals to security have been utilized in [38] to develop risk assessment framework. The developed formulae to quantify risk based on the equation by NIST, which defines Risk as the likelihood multiplied by the Impact, is devised in three different ways.…”

Section: Risk-aware Access Control Modelsmentioning

confidence: 99%

Privacy Preserving Risk Mitigation Approach for Healthcare Domain

Aqeeli¹,

Al-Rodhaan²,

Tian³

et al. 2018

ETSN

View full text Add to dashboard Cite

In the healthcare domain, protecting the electronic health record (EHR) is crucial for preserving the privacy of the patient. To help protect the sensitive data, access control mechanisms can be utilized to restrict access to only legitimate users. However, an issue arises when the authorized users abuse their access privileges and violate privacy preferences of the patients. While traditional access control schemes fall short of defending against the misbehavior of authorized users, risk-aware access control models can provide adaptable access to the system resources based on assessing the risk of an access request. When an access request is deemed risky, but within acceptable thresholds, risk mitigation strategies can be exploited to minimize the risk calculated. This paper proposes a risk-aware, privacy-preserving risk mitigation approach that can be utilized in the healthcare domain. The risk mitigation approach controls the patient's medical data that can be exposed to healthcare professionals, according to their trust level as well as the risk incurred of such data exposure, by developing a novel Risk Measure formula. The developed Risk Measure is proven to manage the risk effectively. Furthermore, Risk Mitigation Data Disclosure algorithms, RIMIDI 0 and RIMIDI 1 , which utilize the developed risk measures, are proposed. Experimental results show the feasibility and effectiveness of the proposed method in preserving the privacy preferences of the patient. Since the proposed approach exposes the patient's data that are relevant to the undergoing medical procedure while preserving the privacy preferences, positive outcomes can be realized, which will ultimately bring forth quality healthcare services.

show abstract

A framework for risk assessment in access control systems

Cited by 39 publications

References 14 publications

Fuzzy Logic with Expert Judgment to Implement an Adaptive Risk-Based Access Control Model for IoT

Fuzzy Logic with Expert Judgment to Implement an Adaptive Risk-Based Access Control Model for IoT

Validation of an Adaptive Risk-based Access Control Model for the Internet of Things

Privacy Preserving Risk Mitigation Approach for Healthcare Domain

Contact Info

Product

Resources

About